We’ve added to Windows Secrets a new full-time writer who’s dedicated to bringing you new insights into the challenges of running Microsoft software.

Stuart J. Johnston is a technology reporter who’s covered the motley crew that is the computer industry for more than 20 years — and you’ll now find his revelations in Windows Secrets every week.

Stuart has won more awards than I can shake a stick at. As the Northwest bureau chief for InfoWorld magazine starting in 1988, he broke stories such as the Microsoft/IBM “divorce.” In 1993, he won the Computer Press Association’s award for Best News Story for his coverage of Microsoft’s recall of MS-DOS 6.0 and its replacement with version 6.2.

Most recently, Stuart won a gold award from the Association of Business Press Editors for his article on the fire hazards of laptop batteries, which was published in the November 2006 issue of PC World magazine.

Stuart will continue to write each month the widely read “Bugs & Fixes” column in PC World, which he’s contributed to that magazine for the past eight years. Interestingly, he took over that feature from Scott Spanbauer, who now reviews programs in our Best Software column twice a month. (Scott alternates writing that column with Ian “Gizmo” Richards, our senior editor.)

We plucked Stuart from InternetNews.com, where until recently he was posting stories on breaking developments in the computer world. Prior to that, he was writing for such outlets as InformationWeek, the MIT Technology Review, JavaPro, .NET magazine, Enterprise Developer, and many others. (Stuart uses his middle initial, “J.,” to distinguish himself from Stuart C. Johnston, a venture capitalist involved with many high-tech companies.)

As our new associate editor, Stuart joins Scott Dunn, who’s writing a series of reviews to update our site’s “software sidebar.” (See my July 24 article.) Scott tackles the subject of password managers today, with more reviews to follow in future weeks.

If you have a tip for Stuart or any of our writers, they’re eager to hear ‘em. Send in your tricks and workarounds, using the Windows Secrets contact page. Thanks!

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.

A promise of safer personal health data Your private health information is migrating wholesale onto the public network with the advent of online health-care records stored in massive data centers around the world.

While the services aim to make it easier for consumers to access and manage their personal health information, the ready availability of this data also makes it much easier and less expensive for insurers to put your medical history under the microscope.

Surprised? You shouldn’t be. You voluntarily grant access to that sensitive information every time you sign a waiver so that your health insurer can decide whether to pay for a doctor’s visit, a prescription, or an expensive medical test.

What’s more, most of the gathering and collating of this information is legal. In fact, the number of companies that have access to this information runs into the millions, say privacy advocates.

As recently as last year, only 1% to 3% of U.S. consumers had electronic versions of their health records, according to market research firm Health Industry Insights, an IDC company.

That is about to change.

The fact that two of the biggest players in the emerging world of cloud computing services — Microsoft and Google — are jumping into that arena with both feet will likely accelerate the shift to online medical records.

Microsoft kicked off the beta test of its HealthVault service almost a year ago, while Google announced its Google Health service last February and launched a beta in May. While both services are still in beta, each company has partnered with large health-care providers for pilot tests: Microsoft with Kaiser Permanente and Google with the Cleveland Clinic. Private health data goes public by mistake Part of consumers’ reticence to sign up for electronic personal health-care records — with or without services “in the cloud” — has to do with a handful of recent high-profile data breaches. In April, the largest health insurer in the U.S., WellPoint, disclosed that records on as many as 130,000 of its customers had leaked out and become publicly available over the Internet.

To be fair, so-called cloud services aren’t at fault, at least not so far. Microsoft, Google, and other companies that put your medical records online are adamant that their security is top-of-the-line. Their services are intended to give consumers greater, not less, control over who sees what by giving consumers personal ownership of their information, according to the services.

“[As a consumer], I control release of that information,” Grad Conn, senior director of the Microsoft Health Solutions group, told me in describing HealthVault. A Google spokesperson expressed virtually the same assurance about Google Health. Neither company is disclosing how many users it has signed up thus far.

Indeed, consumers’ control of their health data is not the core problem. It’s what happens to your information after its initial release that worries privacy advocates — and with good reason. Once the data leaves the safe harbor of a secure cloud service, it’s fair game for companies in several different industries.

Take, for example, prescription records.

“All 51,000 pharmacies in the U.S. are wired for data mining. Selling prescription records is a multibillion-dollar-a-year industry,” states an FAQ published by Patient Privacy Rights, a major consumer-health and privacy-rights organization.

This data mining of prescription records can cost consumers big-time.

For instance, a July article in Business Week cited the case of a Louisiana couple denied health insurance because the wife took two medications that set off red flags for a prospective insurer.

Ironically, both were for “off-label” uses — that is, they were prescribed not for the maladies that the drugs were originally designed to treat. The woman’s doctor prescribed an antidepressant to help her sleep due to symptoms of menopause and a hypertension drug to reduce swelling in her ankles.Although clinically she was neither depressed nor had high blood pressure, the couple’s application for health insurance was denied, the article stated.

Or take the case of supermarket customers who use so-called “affinity” cards to obtain discounts at their favorite grocery. Data showing that a customer regularly buys cigarettes might be obtained by an insurer or employer and combined with a health record where the customer claimed to be a nonsmoker.

“It’s interesting how they can tie all of that [information] together,” Lynne Dunbrack, program director at Health Industry Insights, told Windows Secrets. Consumer privacy may get lost in the clouds Cloud computing is the latest buzz phrase for putting the massive processing power and storage capacity needed to provide ubiquitous computing out on servers located on the public network, or “in the cloud.” Microsoft, Google, and many other online companies have embraced the idea.

Most observers — including privacy advocates — state that the move to store our health records in the cloud is inevitable. In fact, there are many benefits to consumers for having that information available virtually instantly. For example, if you were in a different city and needed to be rushed to the emergency room, your health history would be immediately available to the physicians on call.

Or, Dunbrack added, having access to a patient’s commplete prescription information can help displaced persons stay alive in a hurricane-ravaged area, for example.

In fact, a survey conducted last spring for the Markle Foundation found that, of nearly 1,600 respondents, four out of five see electronic health records as useful, but many indicated that protecting the confidentiality of that information is crucial. “Nearly half called specific privacy practices ‘critical’ in their decision to try one out,” a foundation statement said.

The downside is that storing health records online makes it easier for insurers to calculate the odds that you will be more expensive to insure than the next person. That’s the rub, say privacy advocates.

Wait, you say. Isn’t there a law that keeps your data from being misused? Yes and no.

It’s called the Health Insurance Portability and Accountability Act, or HIPAA. Moreover, there are many exceptions to the law. Additionally, both Microsoft and Google claim their health services are not subject to HIPAA regulation, since they don’t offer health-care services themselves.

Pam Dixon, executive director of the World Privacy Forum, says HIPAA is far from perfect but better than no protection at all. “Before HIPAA, it really was much worse,” she said. However, she agrees that “secondary use” of patient data has become an industry unto itself — a genie that will be difficult or even impossible to get back into the bottle due to the billions of dollars that can be made from it.

“Right now, disclosure of health information is out of control,” Dixon said, adding ruefully, “Technology is not going to go backwards.” How to safeguard your health-care records So, what can you do to protect yourself? Patient Privacy Rights offers these recommendations and questions to ponder as you navigate the sometimes-perilous world of electronic health records:

• Don’t even think about using a personal health record (PHR) that’s offered by an employer or insurer. These are the last companies with which you want to share all your personal health and daily activities.

• Don’t simply rely on a “HIPAA-compliant” PHR. HIPAA has more loopholes than the tax law; millions of businesses can legally access your information without your consent.

• How do you authorize access to the information? If gaining access requires nothing more than having someone guess your password, say “no, thanks.”

• Does the PHR provider have the right under its “agreements” to take, sell, or share your information?

• What security does the PHR provide?

Finally, a little personal advice: hold off signing up for any electronic health-records system for the time being. So few people have joined to date that there are bound to be problems to work out, not to mention the potential for identity theft. Let somebody else play the role of pioneer.

Stuart Johnston is associate editor of WindowsSecrets.com. He’s written about technology for InfoWorld, Computerworld, InformationWeek, and InternetNews.com.

From shopping and banking sites to network- and remote-access logins, we’re inundated with requests to create and remember a plethora of passwords.

Fortunately, plenty of free tools help us store and organize our passwords in a single, secure location.

Login aids can be more hindrance than help If you counted the number of times you were prompted to enter a login ID and password in the course of a working day, you could be approaching double digits by your afternoon break.

Firefox, Internet Explorer, and other browsers offer to remember passwords for the sites you visit. However, your passwords are not always secure when stored in a browser — though Firefox is a safer bet, since you can encrypt its passwords with a master password.

Furthermore, you might need a tool that saves passwords for other programs, not just Web sites. If you’re like me, relying on your memory is perilous, and writing your passwords on a piece of paper — even one you keep in your wallet or some other relatively secure location — is dangerous. That’s where password-management utilities come in.

Password managers are small databases designed to help you manage the deluge of passwords needed to navigate your computer, network, and Internet needs. With the exception of RoboForm’s browser toolbar, most of these programs have a similar interface and features, including but not limited to the following:

• A main window showing a list of your account names, passwords, URLs, and so forth

Step 3. Switch back to the password manager window and copy the account password.

Step 4. Switch to the browser yet again to paste in the password.

KeePass, Access Manager, 4uonly, and other programs simplify this process only slightly by letting you drag and drop the information between windows. However, you still have to switch between windows repeatedly.

There are so many password managers available that I had to limit my selection to those that offer a free version and also include a wealth of features. Not all of the programs claim to run under Vista, but they all worked fine in that operating system during my tests, with the exception of Password Corral’s online help.

RoboForm takes a unique approach to password management, using as its main interface a toolbar that attaches to your Internet Explorer or Firefox browser. The program monitors your Web surfing and offers to save any name and password information you enter at a site. (You can also enter your Web IDs and passwords manually.)

Once the information is in the program, logging into a site is a simple matter of choosing a button or pop-up menu option from the toolbar to fill and submit the form. It’s slick and easy, and it certainly beats the two-window shuffle required by other password managers.

To save even more clicks, place bookmarks to login pages in RoboForm’s pop-up menu, which lets you navigate to the page and log in with a single click.

RoboForm doesn’t just automate your logins. The program is also a great way to save such personal information as your name, address, phone numbers, and credit card numbers for automatically filling out online forms. Like your passwords, this information is encrypted and accessible from a master password, which is cached in memory so you need enter it only once per session.

As with the other programs I tested, RoboForm lets you organize its “passcards” (what it calls each database record) into groups, if desired. You can also create multiple profiles for other purposes or other users.

Unlike the other applications I tested, you can’t attach custom notes to each item or account in RoboForm. However, the program’s “Safenotes” feature lets you enter secure data for any purpose, such as ATM passwords.

UPDATE 2008-09-22: After publication, several readers pointed out that you can annotate entries in RoboForm by clicking Edit, Add Note. Our thanks to the readers who alerted us to this error.

Siber Systems also makes a version called RoboForm2Go that runs from a USB memory stick or flash drive. When you insert the device into a computer’s USB slot, the RoboForm data is available to you. Removing it leaves no trace of your passwords.

For some, the biggest downside to RoboForm is its Web focus. The program is designed to work with Web forms and logins, not network passwords or encrypted folders (although you can always store that info in its Safenotes feature).

The free version of RoboForm limits you to ten passcards and two identities.#2: KEEPASS PASSWORD SAFE

For fans of open-source software, KeePass Password Safe is certified by the Open Source Initiative and has all the features I mentioned above plus a few extras. For example, KeePass supports keyfiles, a type of file that acts as a key or password and that you can put on a separate USB flash drive for safe-keeping. The program’s search feature helps you find entries in its database. (Access Manager also offers this feature.)

You can even install KeePass on a USB flash drive and carry it with you wherever you go.

KeePass attempts to solve the window-shuffle problem by providing Auto-Type, a simple scripting system that lets you fill in and submit login data with a single keyboard shortcut. However, I was unable to get Auto-Type to work, and the explanation in the program’s help system was no help in this regard.

As a security precaution, KeePass automatically clears the Clipboard ten seconds after you have used it to copy a name or password.

Several tools, including Access Manager and Password Corral, let you organize your passwords by creating custom groups. KeePass provides several built-in groups to start with and forces you to keep your passwords in at least one of these, even if it’s the top “General” level.

This isn’t a big deal most of the time, but if the group becomes deselected in the tree pane on the left, you won’t see any of your password info in the right pane. And this is annoyingly easy to do if you happen to click anywhere in the left pane to activate the window. To work around this, I put all my data into one group and then dragged the divider until the left pane almost disappeared.

Because the product is open-source, you don’t have to worry about paying an upgrade fee to get more features. And you can download and install a number of third-party plug-ins to enhance it.

Despite its shortcomings, KeePass’s many features make it the best freeware password manager I tested.#3: CITI-SOFTWARE LTD ACCESS MANAGER

Like RoboForm, Access Manager 2 comes in a free and paid version. The program’s main window requires that you select an account name before you see the database record listing the password and any other info you’ve entered for it. This is the only password manager I looked at with this requirement.

For each account, you can enter not only a URL but also the name of a file, folder, or program that must be unlocked with a password. You can also open such an item from the Access Manager window.

To get data out of your database and into your login screen, Access Manager offers the option to have the password copied to the clipboard while you drag the account name. That way, you switch windows only once: drag to the name field, and then paste in the password field.

However, Access Manager’s more unique features are found only in the $25 version — including the ability to run the program from a USB flash drive, use an onscreen keyboard to foil keyloggers, or delete files securely, just to name a few examples.

Access Manager is a solid product with strong appeal for those who use passwords for more than just Web sites. Still, you’ll need to pay if you want to use the program in a commercial setting or if you need more advanced password-management features.#4: CYGNUS PRODUCTIONS PASSWORD CORRAL

Password Corral is a typical freeware password manager, but unlike most such tools, the program doesn’t hide your passwords in the main window with the usual asterisks in place of the actual characters. There’s a button you can click to hide (scramble) or unhide the information in the main window, but doing so also hides the user name and URL.

Password Corral is the only password manager I tested that doesn’t let you drag and drop names and passwords into the appropriate files.

Also, the program isn’t intended for Vista: you can’t open its help system in the newest version of Windows. Otherwise, Password Corral runs fine on Vista PCs.#5: DILLOBITS SOFTWARE 4UONLY

Like Password Corral, 4uonly takes a basic approach to password management, though it does let you drag and drop names and passwords, just as in other password managers.

The program does offer one time-saving feature: it protects your password database by tying it to your Windows account. So as long as you’re logged into Windows, you don’t have to supply 4uonly with a master password. However, you can still assign one in case you are logged in under other credentials.

Unlike the other products I reviewed, 4uonly doesn’t give you the option to organize your passwords into groups to help manage a large number of accounts.

More disturbingly, I noticed the status bar sometimes stated, “The clipboard is empty,” even when my password was still on the clipboard. The program’s command to clear the clipboard resolved this, but the misleading message is a serious security bug.

That’s the only big problem with 4uonly, but why bother using this program when there are safer alternatives you can get for free?

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

Internet dating services have become overwhelmingly popular in our technologically savvy age. We are constantly inundated with advertisements featuring happy, loving couples who allegedly met online. If you believe the hype, everyone seems to be finding the love of their life via the Internet … everyone except Erik Weiner.

This hilarious rap rehashes Erik’s failed attempts to find love on the Web — or even a date — as well as the activity he’s driven to when the Internet just doesn’t seem to hold a love connection for him. (Warning: adult language.) It’s all right, Erik, we’ve all been there. Play the video

There are so many backup options available that it’s difficult to decide which is the best.

Of course, you have to figure out which files you need to back up before you can determine the best method for doing so.

Are you backing up all the files you need to? When people think of “backup,” most of them focus on their Word docs, spreadsheets, e-mail, and other application files. These are certainly important, but there are a lot of other vital files on your PC.

Your bookmarks, browsing history, and saved passwords are examples of such files — not to mention the key settings in your application programs, such as the account information for your e-mail and FTP clients. The list goes on and on.

The best way to identify your backup needs is to imagine that you’ve bought a brand-new PC. Ask yourself: “What information would I need to move to that PC so I could work efficiently?”

This is not a theoretical exercise; if your current PC gets stolen or fails catastrophically, you’ll find yourself in this exact position.

New file-sharing sites are springing up faster than campaign promises, but which one is the best for your needs?

The answer depends largely on how much disk space and bandwidth you require, as well as which special features you find most important in the six services I tested.

File-sharing sites make mega-uploads a breeze There’s nothing new about file-sharing services. Among the increasingly crowded field are a few mainstays that have been around for years. There are also a few shining stars, though as you might suspect, no two services offer the same set of features. That can make it difficult to find the one that best meets your needs.

For example, you might use a file-sharing service to distribute software that you’ve developed or to share your photographs or audio and video recordings. Any file that would tax your own system to disseminate is a good candidate to drop onto a file-sharing site.

Just to be clear, these file-sharing sites are not synonymous with peer-to-peer networks. You use file-sharing services just as you would any other Web service: via your browser. You don’t need any additional software to upload and download the files, unlike BitTorrent and other peer-to-peer systems.

Although you might consider using the tested file-sharing sites for remote backup, the services are not really intended for that purpose. For one thing, your uploaded files might wind up in search results, because search engines often index these services’ download pages. You may or may not want your files to be discoverable, so keep this in mind when considering what to upload.

Fake security programs are taking advantage of user gullibility in order to hold people’s PCs for ransom.

Windows XP users who are running with administrator rights are especially vulnerable to these drive-by downloads.

System-clogging antivirus scam hits home Queries entered at Google and other Web search engines are returning links to sites that try to infect your system with the dreaded Antivirus 2008/2009 scam. This threat was reported by Windows Secrets associate editor Scott Dunn on Sept. 4 and described by the folks at the Internet Storm Center in a Sept. 15 bulletin.

My dad was one of the victims of this malware after he followed such a search link. These downloads purport to be free antivirus programs, yet in reality they offer no protection but demand payment for their removal.

While a visit to the malware-cleaning site Malwarebytes helped me get my dad’s PC back into shape, the incident points out how difficult it is to secure a Windows XP workstation when the user runs with full administrator rights.

Search engines do not cleanse their results, and antivirus programs are not stopping many of these rogue variants. They morph and change just enough to evade our virus protection.

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by
Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our
free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside
party, ever.
2. We will never send you any unrequested e-mail, besides
newsletter updates.
3. All unsubscribe requests are honored immediately, period.
Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe
from the Windows Secrets Newsletter,

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.